MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Amadey


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d
SHA3-384 hash: a3e4e87698c459c6220aae380f3e2517762b055510dc819961e19815860e314c63662370fe0d37d73f68c9f06eb8b6e9
SHA1 hash: d355a14472b60b60f29bab77d9c82ca6c8260dd5
MD5 hash: 24e6360c5bb6c80155d7894edaf43d03
humanhash: earth-football-thirteen-arkansas
File name:24e6360c5bb6c80155d7894edaf43d03.exe
Download: download sample
Signature Amadey
Create hunting rule
File size:1'156'984 bytes
First seen:2023-12-04 09:29:49 UTC
Last seen:2023-12-04 11:22:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:zJCe7R4SCLPgtFF96ao5cGkDELLa9ktbBqHfd58yVYCLqAYI:F77xtg51MAak9Bw6CLqlI
Threatray 4 similar samples on MalwareBazaar
TLSH T1F635E0A7AA09205FEF2E03FBE18A15113220974F313AD6532B5CD64D6FB664381758FB
TrID 30.2% (.EXE) Win64 Executable (generic) (10523/12/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4505/5/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:Amadey exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
321
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/462332/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.11239.32662.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a process with a hidden window
Launching a process
Creating a file
DNS request
Sending a custom TCP request
Sending an HTTP GET request
Creating a process from a recently created file
Creating a window
Creating a file in the %temp% directory
Searching for the window
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Creating a file in the Program Files subdirectories
Moving a file to the Program Files subdirectory
Launching the process to interact with network services
Running batch commands
Blocking the User Account Control
Query of malicious DNS domain
Adding exclusions to Windows Defender
Adding an exclusion to Microsoft Defender
Unauthorized injection to a system process
Enabling autorun by creating a file
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed remcos
Link:
https://www.filescan.io/uploads/656d9c292efa450749b86b55/reports/f86e546d-45e3-4f5d-8961-91d869e6f219/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Upgdsed
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a2115a73-ad26-43e6-8c24-7a220e6d87ff
Result
Threat name:
Amadey, Glupteba, Petite Virus, Socks5Sy
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1353041
Signature
.NET source code contains process injector
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Adds extensions / path to Windows Defender exclusion list (Registry)
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Contain functionality to detect virtual machines
Creates HTML files with .exe extension (expired dropper behavior)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables UAC (registry)
Drops script or batch files to the startup folder
Found Tor onion address
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Amadeys stealer DLL
Yara detected Generic Downloader
Yara detected Glupteba
Yara detected onlyLogger
Yara detected Petite Virus
Yara detected Socks5Systemz
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1353041 Sample: er0O6iIWXW.exe Startdate: 04/12/2023 Architecture: WINDOWS Score: 100 158 Multi AV Scanner detection for domain / URL 2->158 160 Malicious sample detected (through community Yara rule) 2->160 162 Antivirus detection for URL or domain 2->162 164 17 other signatures 2->164 9 er0O6iIWXW.exe 2 4 2->9         started        12 svchost.exe 2->12         started        14 svchost.exe 1 2->14         started        16 5 other processes 2->16 process3 signatures4 182 Uses schtasks.exe or at.exe to add and modify task schedules 9->182 184 Writes to foreign memory regions 9->184 186 Allocates memory in foreign processes 9->186 192 4 other signatures 9->192 18 AddInProcess32.exe 15 502 9->18         started        23 net.exe 9->23         started        25 powershell.exe 19 9->25         started        31 4 other processes 9->31 188 Changes security center settings (notifications, updates, antivirus, firewall) 12->188 190 Query firmware table information (likely to detect VMs) 14->190 27 conhost.exe 16->27         started        29 conhost.exe 16->29         started        process5 dnsIp6 146 98.126.19.29 VPLSNETUS United States 18->146 148 91.92.241.91 THEZONEBG Bulgaria 18->148 154 15 other IPs or domains 18->154 104 C:\Users\...\yWW9rKUrG2xoHX2fuhkfbWQf.exe, PE32 18->104 dropped 106 C:\Users\...\y6BHqO4r2tg6Kupk8AOWA0SX.exe, PE32 18->106 dropped 108 C:\Users\...\v3AzsdyWL6AtilaRV5T6RTdm.exe, PE32 18->108 dropped 112 264 other files (192 malicious) 18->112 dropped 176 Drops script or batch files to the startup folder 18->176 178 Creates HTML files with .exe extension (expired dropper behavior) 18->178 180 Writes many files with high entropy 18->180 33 HmNAmdBg7qefCKdAA2Ybr9Cu.exe 18->33         started        38 GlyAK3NwBzai4vB1IrnnYeKX.exe 18->38         started        40 4IrivoNgzMmKQRDkfyHigUEL.exe 18->40         started        50 9 other processes 18->50 42 conhost.exe 23->42         started        44 net1.exe 23->44         started        46 conhost.exe 25->46         started        150 185.196.8.22 SIMPLECARRER2IT Switzerland 31->150 152 141.98.234.31 CH-NET-ASRO Russian Federation 31->152 110 C:\ProgramData\SmartDVDSvc\SmartDVDSvc.exe, PE32 31->110 dropped 48 conhost.exe 31->48         started        file7 signatures8 process9 dnsIp10 134 107.167.110.218 OPERASOFTWAREUS United States 33->134 136 107.167.125.189 OPERASOFTWAREUS United States 33->136 142 6 other IPs or domains 33->142 86 C:\Users\user\AppData\Local\...\opera_package, PE32 33->86 dropped 88 Opera_105.0.4970.2...toupdate_x64[1].exe, PE32 33->88 dropped 90 C:\...\Assistant_103.0.4928.25_Setup[1].exe, PE32 33->90 dropped 100 5 other files (2 malicious) 33->100 dropped 166 Writes many files with high entropy 33->166 52 HmNAmdBg7qefCKdAA2Ybr9Cu.exe 33->52         started        55 HmNAmdBg7qefCKdAA2Ybr9Cu.exe 33->55         started        57 HmNAmdBg7qefCKdAA2Ybr9Cu.exe 33->57         started        92 C:\Users\...behaviorgraphlyAK3NwBzai4vB1IrnnYeKX.tmp, PE32 38->92 dropped 59 GlyAK3NwBzai4vB1IrnnYeKX.tmp 38->59         started        94 C:\Users\...\4IrivoNgzMmKQRDkfyHigUEL.tmp, PE32 40->94 dropped 61 4IrivoNgzMmKQRDkfyHigUEL.tmp 40->61         started        138 85.209.11.204 SYNGB Russian Federation 50->138 140 194.5.249.115 NXTHOST-64398NXTHOSTCOM-NXTSERVERSSRLRO Romania 50->140 144 2 other IPs or domains 50->144 96 C:\Users\user\AppData\...\4007744702.exe, PE32 50->96 dropped 98 C:\Users\user\AppData\...\2578817212.exe, PE32 50->98 dropped 102 14 other files (none is malicious) 50->102 dropped 168 Detected unpacking (changes PE section rights) 50->168 170 Detected unpacking (overwrites its own PE header) 50->170 172 Found Tor onion address 50->172 174 2 other signatures 50->174 63 cmd.exe 50->63         started        65 cmd.exe 50->65         started        67 HCsc4pT9brIzifv8kBdVTdCs.exe 50->67         started        69 3 other processes 50->69 file11 signatures12 process13 file14 114 Opera_installer_2312041100464582224.dll, PE32 52->114 dropped 71 HmNAmdBg7qefCKdAA2Ybr9Cu.exe 52->71         started        116 Opera_installer_2312041100447158152.dll, PE32 55->116 dropped 118 Opera_installer_2312041100455097876.dll, PE32 57->118 dropped 120 C:\Program Files (x86)\...\qtwasapi.exe, PE32 59->120 dropped 128 58 other files (2 malicious) 59->128 dropped 122 C:\Program Files (x86)\...\is-MD3KK.tmp, PE32 61->122 dropped 130 56 other files (1 malicious) 61->130 dropped 74 4007744702.exe 63->74         started        78 conhost.exe 63->78         started        80 2578817212.exe 65->80         started        82 conhost.exe 65->82         started        124 Opera_installer_2312041100471113200.dll, PE32 67->124 dropped 126 Opera_installer_2312041100489278056.dll, PE32 69->126 dropped 84 conhost.exe 69->84         started        process15 dnsIp16 132 Opera_installer_2312041100471111556.dll, PE32 71->132 dropped 156 144.76.82.108 HETZNER-ASDE Germany 74->156 194 Detected unpacking (changes PE section rights) 74->194 196 Detected unpacking (overwrites its own PE header) 74->196 198 Tries to harvest and steal browser information (history, passwords, etc) 74->198 file17 signatures18
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d/
Threat name:
Win32.Trojan.Zusy
Create hunting rule
Status:
Malicious
First seen:
2023-12-04 04:35:02 UTC
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qg7qz4rgmcps4vzurt7yzvc5l3gkhbpbcp6x6rfdgcvlz7cvhaoq._file
Verdict:
malicious
Similar samples:
8c05ce7f2040a7ea25080f7fa2b060052c1996dca83a3ea0c4b451cc1e16ced6
Amadey
f5be7905ff4e3fcff8697d08de785719c1eeac0d5ac5b8373917de764cc0cac1
Amadey
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/231204-lgg49aac84/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Windows security modification
UAC bypass
Windows security bypass
Unpacked files
SH256 hash:
81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d
MD5 hash:
24e6360c5bb6c80155d7894edaf43d03
SHA1 hash:
d355a14472b60b60f29bab77d9c82ca6c8260dd5
Link:
https://www.unpac.me/results/0d75d544-f2c2-4612-94c2-4fb124ecf976/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/81bf0cf22660/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Amadey

Executable exe 81bf0cf226609f2e57348cff8cd45d5ecca385e113fd7f44a330aabcfc55381d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2735837/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/462332/

Comments